[winswitch] [Parti-discuss] WinSwitch install instruction errata for debian based systems

Timo Juhani Lindfors timo.lindfors at iki.fi
Mon Jun 13 11:58:53 BST 2011


David Godfrey wrote:
> A good reason to use sudo in this case is the wget command.
> While the "|apt-key add" needs to be run as root, I don't believe that 
> any command that retrieves information from a webpage or similar should 
> EVER be run as root.
> Not that I know of any exploits in wget, but the potential is there, and 
> it could be disastrous.

If there's a bug in wget that allows arbitrary code execution then I
think both

1) sudo sh -c 'wget -O - http://example.com/ | sudo apt-key -'

and

2) wget -O - http://example.com/ | sudo apt-key add -

are for practical purposes equally vulnerable. Even though wget is not
running as root it can easily trojan your user account so that the next
sudo invocation will install the real rootkit.

All else being equal, version 1) is nicer from documentation point of
view since the full URL will be in sudo logs.






More information about the shifter-users mailing list